API tools faq
paste
H4cKr1337

CVE-2025-25758 - FULL DISCLOSURE

H4cKr1337
Mar 20th, 2025 (edited)
334
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.48 KB | Software | 0 0
raw download clone embed print report
  1. CVE ASSIGNED: CVE-2025-25758
  2. CVE PUBLISHED STATE: PUBLISHED
  3. CVE LINK: https://nvd.nist.gov/vuln/detail/CVE-2025-25758
  4.  
  5. Description:
  6. An issue in KukuFM Android v1.12.7 (11207) exists due to android:allowBackup="true" being declared in the AndroidManifest.xml file. This configuration allows attackers with physical access to the device to extract sensitive cleartext information via Android Debug Bridge (ADB) backup functionality. Exploiting this vulnerability does not require rooting the device and can lead to the disclosure of critical internal application data such as shared preferences, configuration files, and local databases which contains data in cleartext.
  7.  
  8. Impact:
  9. Unauthorized access to sensitive application data
  10. Exposure of user credentials or authentication tokens
  11. Violation of user privacy and data protection standards
  12. Potential misuse of personal or application-specific information
  13. Compromise of application security posture
  14.  
  15. Attack Scenario:
  16. Attacker gains physical access to the Android device
  17. Enables USB debugging
  18. Connects the device via ADB to a computer
  19. Executes: adb backup -f com.vlv.aravali.ab com.vlv.aravali
  20. Extracts backup data from the KukuFM app, including: shared_prefs/, databases/ & Other internal configuration files
  21.  
  22.  
  23. Technical Details:
  24. Vulnerability Type: Incorrect Access Control
  25. CWE Classification: CWE-732 (Incorrect Permission Assignment for Critical Resource)
  26. Attack Type: Local
  27. Affected Version: 1.12.7 (11207)
  28. Affected Component: AndroidManifest.xml (android:allowBackup="true")
  29. Impact: Information Disclosure
  30.  
  31. Affected Products:
  32. KukuFM Android App: https://play.google.com/store/apps/details?id=com.vlv.aravali
  33.  
  34. Vendor Information:
  35. KukuFM
  36. https://kukufm.com/
  37.  
  38. Proof of Concept:
  39. Enable USB debugging on the device
  40. Connect device to computer via ADB
  41. Run command: adb backup -f com.vlv.aravali.ab com.vlv.aravali
  42. Analyze extracted .ab backup file to access sensitive app data
  43. Observe cleartext contents in shared_prefs/, databases/, etc.
  44. PoC at - https://ibb.co/S4J4tY2N
  45.  
  46. References:
  47. CVE-2017-16835
  48. CVE-2023-46918
  49.  
  50. Severity:
  51. High
  52.  
  53. Fix:
  54. Set android:allowBackup="false" in AndroidManifest.xml to prevent unauthorized ADB backups
  55. Encrypt sensitive data stored locally in shared_prefs and databases
  56. Use Android Keystore for securely storing authentication tokens and credentials
  57. Regularly audit AndroidManifest configurations for insecure flags
  58. Apply best practices for secure local data storage and access control
  59.  
  60. Discoverer:
  61. Ishwar Kumar
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!